Hi Joshua, Joshua Brindle 写道: > HarryCiao wrote: > <snip> > >> The implementation of the save-linked option has no idea about the effort to >> separate tunables from booleans, so I am afraid it won't help much. >> >> > > I'm not sure about this. The linked policy should have everything that the > original modules had, with only the value mapping changed. The expansion is > where things get removed. This behavior should not change for a variety of > reasons, including the ability to do a full semantic analysis of the linked policy. > > I can't agree more that the linked module has everything but with the identifiers' value remapped, actually the separate_tunables() is called at the very end of link phase, which would do three operations: 1. change the flags for some cond_bool_datum_t; 2. change the flags for some cond_node_t; 3. re-link the effective branch of a tunable conditional, to the end of its home decl->avrules list; The 1st and 2nd operations won't stand in the way of any analysis, and we could set the "handle-tunable = preserve" option in semanage.conf to bypass the 3rd one. Thanks, Harry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
